CVE-2026-58251
Received Received - Intake

NATS Server Queue Subscription Bypass via Subject Deny

Vulnerability report for CVE-2026-58251, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user with subscription deny permissions could bypass a plain subject deny rule by using a queue subscription, because queue-specific deny evaluation could override the plain subject deny result when the queue name itself was not denied. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 11 associated CPEs
Vendor Product Version / Range
nats_io nats_server 2.14.0
nats_io nats_server 2.12.7
nats_io nats_server 2.11.16
nats_io nats_server to 2.14.0 (exc)
nats_io nats_server to 2.12.7 (exc)
nats_io nats_server to 2.11.16 (exc)
nats server to 2.11.16 (inc)
nats server to 2.12.7 (inc)
nats server to 2.14.0 (inc)
nats server to 2.12.6 (exc)
nats server to 2.11.15 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58251 is a vulnerability in the NATS Server that allows an authenticated user with subscription deny permissions to bypass subject-based deny rules by using a queue subscription.

Specifically, if a user has both allowed and denied subjects in their permissions, the server incorrectly permits queue subscriptions that should have been denied. This happens because the queue-specific deny evaluation could override the plain subject deny result when the queue name itself was not denied.

For example, a subscription to a subject like "admin.secret" with a queue named "workers" should be denied due to a deny rule such as "admin.>", but the server allowed it because the queue deny check did not properly enforce deny rules.

The issue was fixed by modifying the permission check logic to ensure that queue subscriptions are denied as soon as any deny rule applies, preventing unauthorized access.

Impact Analysis

This vulnerability can impact you by allowing unauthorized access to messages on subjects that should have been denied by access control rules.

An authenticated user with mixed permissions could bypass deny rules using queue subscriptions, potentially receiving sensitive or confidential information that was intended to be restricted.

The CVSS score of 6.5 indicates a moderate severity with a high impact on confidentiality, meaning that the main risk is unauthorized disclosure of information.

Detection Guidance

This vulnerability involves an authenticated user bypassing deny rules by using queue subscriptions that should have been denied. Detection would involve monitoring for queue subscription commands that subscribe to subjects which are explicitly denied by ACL rules.

A practical approach is to audit NATS server logs for subscription commands (e.g., SUB commands) where the subject matches deny rules but the subscription is still accepted, especially those with queue groups.

For example, you can look for commands similar to: SUB <subject> <queue> <sid> where <subject> is in the deny list but the subscription is still allowed.

Specific commands or queries depend on your logging and monitoring setup, but searching logs for queue subscriptions to denied subjects such as 'admin.secret' with queue names like 'workers' can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade the NATS Server to a fixed version where this vulnerability is addressed.

  • Upgrade to NATS Server version 2.14.0, 2.12.7, or 2.11.16 or later, as these versions contain the fix for this vulnerability.
  • Review and audit your ACL configurations, especially those involving combined plain subject deny rules and queue subscription permissions, to ensure no unintended permissions exist.
  • Temporarily restrict or monitor queue subscriptions if upgrading immediately is not possible.
Compliance Impact

CVE-2026-58251 is an authorization bypass vulnerability in the NATS Server that allows authenticated users to bypass deny rules for queue subscriptions, potentially receiving messages they should not have access to.

This vulnerability impacts confidentiality by allowing unauthorized access to restricted message subjects, which could lead to exposure of sensitive or regulated data.

Such unauthorized access could affect compliance with data protection standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Organizations using vulnerable versions of NATS Server may risk non-compliance if sensitive data is exposed due to this flaw.

Mitigation involves upgrading to patched versions (2.14.0, 2.12.7, or 2.11.16) and reviewing ACL configurations to ensure deny rules are properly enforced.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58251. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart